very recently we detected high number of fraud attempts through a particular VOIP modem/router cause it has several logins for administrate being left with default logins. Attackers discover this sort of back doors by referring to user manuals and also
once your equipment login is compromised they can easy discover your account passwords by referring to web interface HTML source.

So We strongly advice to turn of all remote administrations / login for your equipments if there's no necessity for keeping remote login open.

Also change default logins not just admin but all login accounts that can be used to gain access to your equipment.

This way you'll be more secure being attack by silly fraudsters.

We from exetel end has put stringent restrictions and protections to minimize any fraud activity , But the most important point is the end points security which we have less control and only we can provide informations/guidelines to secure your endpoints.

it is good advice for anyone to secure their hardware, change from default passwords, turn off remote access etc but would make sense to address owners of currently affected hardware models directly so it is not overlooked

it is good advice for anyone to secure their hardware, change from default passwords, turn off remote access etc but would make sense to address owners of currently affected hardware models directly so it is not overlooked

it is good advice for anyone to secure their hardware, change from default passwords, turn off remote access etc but would make sense to address owners of currently affected hardware models directly so it is not overlooked

Mostly detected one is Netcomm NB9W

don't think it's current but is this a model Exetel used to sell? if it is would it be possible to send a mailer out to the people that have purchased previously to advise them of the problem?

probably worth a mention in the next newsletter regardless for all users to tighten up their security

fwiw I just got done on my Exetel Voip and MNF account for over 200 bucks of VOIP calls to africa and the middle east. Billion 7404.

I recently did a modem reset to default. I didnt change back the admin login.

Once I saw the calls I logged straight into my modem and bingo the remote access had been switched on and the rest is history.

One point though I did receive an email, that suggested it was automated, and was sent due to the amount of voip calls that had been initiated. This only occurred about 1hr after I emailed support about the calls and in looking in my history it had been happening for a month, including same days of massive calls. You may want to look at the automated fraud detection and what triggers it.

Not complaining in the end it was my stupid fault at not changing my admin pass.

EDIT; Make that a total of >300 bucks between Exetel VOIP and MNF...awesome !

Last edited by thecraw on Sun Aug 21, 2011 4:04 pm, edited 1 time in total.

I suspect that the internal config file (the one that can be saved to a computer and retrieved, via such as TFTP, Trivial File Transfer Protocol) is the weakest link, rather than the HTML user interface, few of which will display VoIP passwords.

Dazzled wrote:I suspect that the internal config file (the one that can be saved to a computer and retrieved, via such as TFTP, Trivial File Transfer Protocol) is the weakest link, rather than the HTML user interface, few of which will display VoIP passwords.

This saveable config file also has your ADSL logon details in it. Which if you drop the "@nsw.exetel.com.au" part of the username, is the logon to your user faclities! - I liked it much better when there was 2 passwords, 1 for ADSL logon & one for the user facalities.

Keep this in mind if a wireless router isn't secure. Once someone knows the make, a default password allows instant access to the config file. Quickly grab it and disconnect, and then defraud at leisure. Most in-modem logs get overwritten so quickly nobody would know what happened.

So my fathers VOIP/Modem has been hacked remotely somehow I think. We got about 20 emails like this from Exetel:

Please be advised that exetel automatic anti-fraud measures have detected a large number of calls from your voip service 028090**** today.
This has been identified as a suspiciuos behaviour.

Could you please advise if this is expected. If not, it is suggested that you change your VoIP DID password and your members facility password and secure your voip equipments/routers.
It is possible that your service is being compromised. please turn off uncessary remote administrations logins on your router / voip equipments.

He lives on a farm, 500mtrs from any other house so that rules out a Wifi hack.
We did change member / modem and voip passwords only about a week ago. The member services one we left at whatever Exetel auto-generated for us as the forgot password password which was "2DYGMQL165W0 - (now changed)" which I thought would have been pretty un-hackable. The other passwords were non-word 8 character or greater passwords with Caps included and numbers. Not the easiest to guess....

I'm a bit bummed as the modem he's using was Exetel supplied (Netcomm RTA1046VW). So if they supplied us a hackable router.... - not good. I sure hope he's not up for any of the call charges. Looks like quite few went through and were answered.

Exetel support have just had me reset all the above passwords again so I hope this time it's fixed. It there any other way of stopping him getting hacked other than turning remote admin of his modem off (I live 400km's away and he's totally modem illiterate so don't really want to do this!) or buying another modem? Is there a firmware patch or something available?

Thomas, the Dynalink firmware is quite well secured when locked. I wouldn't get something else.

It is trivial to scan IP addresses for an open port 1050, and bingo, we have a VoIP box! The next step is to look for the remote management port you are using - either web browser or telnet - if either one is open you now have a bull's eye on your forehead. A very simple script can search thousands of IPs in no time and report potential victims.

If the black hat should get in on the management interface he can get your VoIP login and scram pronto. Note that he needs only seconds, and the log will be overwritten before you know what happened.

That VoIP server login data is sufficient for someone anywhere, eg the middle east, at his leisure, to run a phone service, even a commercial mobile setup, at your father's expense.

I would prefer that you disabled remote management, and only enabled it when needed. Can you teach your father to turn remote on and off? It might also be possible to run a script on his machine to do this if he can't; I know that the telnet interface can manage remote access.

The default login particulars of modems are widely known, so it is imperative that you use something strong.